HITECH Implications for Business Associate Agreements:
What Should You Do and When Should You Do It?
By Rachel Nosowsky, Esq., Miller Canfield Paddock & Stone PLC, Ann Arbor, MI
Title XIII of the American Recovery and Reinvestment Act of 2009 (“ARRA”), called the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, codifies and expands on many of the requirements promulgated by the Department of Health & Human Services (“DHHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to protect the privacy and security of protected health information (“ PHI”).
For example, HITECH for the first time directly regulates business associates – defined to include persons who, on behalf of a covered entity (but other than as members of the covered entity’s workforce), perform or assist in performing a function or activity that involves the use or disclosure of individually identifiable health information, or that otherwise is regulated by HIPAA. Specifically, effective February 17, 2010, HITECH will:
- Require business associates to comply directly with Security Rule provisions directing implementation of administrative, physical and technical safeguards for electronic protected health information (“e- PHI”); and development and enforcement of related policies, procedures, and documentation standards (including designation of a security official).
- Impose on business associates an obligation to directly comply with HIPAA’s business associate safeguards, including limiting use and disclosure of PHI as specified in the agreement or as required by law; facilitating access, amendment and accounting of disclosures; opening books and records to DHHS; and returning or destroying PHI, if feasible, upon contract termination.
- Deem a business associate to violate HIPAA if the business associate knows of a “pattern of activity or practice” by a covered entity that breaches their business associate agreement (“BAA”), but fails to cure the breach, terminate the BAA, or report the non-compliance to DHHS.
- Require DHHS to conduct compliance audits.
HITECH’s enhanced privacy and security standards are applicable to both covered entities and business associates, and generally also become effective February 17, 2010. They include:
- Breach notification (interim final regulations are due August 17, 2009 and will become effective 30 days later);
- New restrictions on disclosures to health plans, clarified minimum necessary standards, expanded accounting requirements applicable to electronic health records (effective as early as January 2011), and revised prohibitions on sales of PHI;
- Updated marketing and fundraising restrictions; and
- Enhanced civil and criminal penalties for non-compliance.
BAA Compliance After HITECH
Health law practitioners have developed no clear consensus on the implications of HITECH for BAAs, and in particular disagree on whether there is any actual mandate to amend existing agreements. Some argue that because HITECH now directly regulates business associates and directly imposes on them the new privacy and security obligations defined in Subtitle D, it is unnecessary to update existing BAAs. Others point out that Sections 13401 and 13404 explicitly mandate that HITECH’s new security and privacy provisions be “incorporated into the business associate agreement[.]”
In truth, the need to amend may well depend on the specific language included in existing BAAs and its interpretation by the parties and, ultimately, DHHS. For example, sample BAA language developed by the Office for Civil Rights provides: “The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and [HIPAA].” While some first-generation BAAs adopted this language wholesale, others provided for automatic amendment or amendment by notice from the covered entity to incorporate any revisions necessary to assure ongoing compliance without the need to re-contract. Some attorneys argue that even the sample language (particularly if previously updated to comply with the Security Rule) adequately addresses any new mandates, as it defines regulatory references to mean those “in effect or as amended” and requires any ambiguity in interpretation of the BAA to be “resolved to permit the Covered Entity to comply” with HIPAA. Given the explicit mandate in HITECH to incorporate its new provisions, the safer approach may well be to amend the agreements, unless DHHS develops a safe harbor to avoid the assumption by covered entities of massive and arguably unnecessary administrative costs. Many covered entities, however, particularly large ones with extensive vendor networks and complex contracting processes, may determine that such costs are prohibitive, notwithstanding the potentially significant penalties the parties could be subject to for failure to adhere to the plain language of the new law.
Additional issues covered entities and business associates should consider in evaluating existing agreements and developing or negotiating new ones include:
- Who is a Business Associate? Because HITECH imposes direct obligations on business associates and provides for the imposition of civil and criminal penalties on non-compliant business associates, vendors may want to re-evaluate their position. In the past, some vendors who did not believe themselves to be “business associates” as defined in HIPAA willingly signed BAAs because their obligations under those agreements were not, practically speaking, particularly substantial. Others who thought they might be business associates but whose customers failed to ask them to sign BAAs did not press the issue, on the theory that failure to execute a BAA was a compliance problem only for the covered entity. Today, the stakes have changed: a vendor’s acknowledgement that it is a business associate when it is not can unnecessarily expose the vendor to substantial civil and criminal penalties under 42 U.S.C. §§ 1320d-5 and 1320d-6; yet its failure to enter a BAA when one is required would violate HITECH. One way to resolve this conundrum is to provide in a scope statement that the BAA applies only if and to the extent the vendor is a business associate to the covered entity (as defined in HIPAA), and that the vendor does not, by signing the BAA, concede it is one.
- Security Guidance. HITECH requires DHHS to issue annual guidance on “the most effective and appropriate technical safeguards” to facilitate compliance with the Security Rule. Moreover, the law’s breach notification provisions will apply only to breaches of “unsecured” PHI. PHI is deemed unsecured unless rendered “unusable, unreadable, or indecipherable” to unauthorized individuals by technologies or methodologies explicitly identified in separate guidance issued by DHHS (and currently limited to encryption or destruction ). Covered entities who want their vendors to adopt and maintain what might be considered industry best practices may wish to require those vendors to commit to comply with all relevant security guidance. Business associates may be willing to implement existing guidance, but many are unlikely to want to commit in advance to language that mandates adoption of unspecified standards at unknown cost.
- Accounting for Disclosures. HITECH permits a covered entity to comply with its accounting responsibilities with respect to electronic health records by providing a complete accounting or by providing an accounting of the covered entity’s disclosures and a “list of all business associates acting on behalf of the covered entity including contact information[.]” Parties to a BAA may or may not want to specify in advance how the covered entity will respond to future requests for accountings.
- Responsibility for Noncompliance. Covered entities are directly accountable under HIPAA only for their own conduct and the conduct of their workforces. Yet “workforce” is defined broadly (and imprecisely) to include “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.” This can include temporary employees, outsourced staff, and others who may under federal and state tax and employment laws and service contracts be considered employees of a business associate but nevertheless in some respects are the responsibility of the covered entity. Moreover, many HIPAA standards that apply to a covered entity’s direct actions are implicated by a business associate’s non-compliance. For example, a covered entity that fails properly to respond to its business associate’s non-compliance with the Privacy Rule thereby may be deemed to have violated HIPAA. For these reasons, HITECH’s enhanced enforcement provisions may cause covered entities to seek broader assurances from business associates ( e.g., indemnification) than previously was the case. Business associates, by contrast, are likely to seek protection for actions taken at the direction of a covered entity or its employees, and to impose other limits on potential liability to their customers (or third parties) in connection with the underlying arrangements.
Covered entities and business associates alike should work now to develop strategies for eventual compliance with HITECH. However, it remains unclear how, precisely, DHHS will implement HITECH. In addition to the security breach notification regulations required under Section 13402, HITECH instructs DHHS to amend HIPAA regulations to assure consistency with the new law. Accordingly, regulated persons may wish to delay for some period of time actual development and implementation of new agreements or amendments, in order to avoid any duplication of effort that might be required if the eventual regulations include unanticipated provisions.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.